[ad] Just in case you didn’t read it, found this one in the archives. A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without […]
Exploits/Vulnerabilities
AJAX: Is your application secure enough?
Introduction We see it all around us, recently. Web applications get niftier by the day by utilising the various new techniques recently introduced in a few web-browsers, like I.E. and Firefox. One of those new techniques involves using Javascript. More specifically, the XmlHttpRequest-class, or object. Webmail applications use it to quickly update the list of […]
IE Address Bar Spoofing
I recently found on securityfocus mailinglist a bug in IE which can be exploited with a simple javascript code to spoof the address bar location… This allow attacker inject a malicious shockwave-flash application into Internet Explorer while it is display another URL (even trusted sites). The vulnerability has been confirmed on a fully patched system […]
Information about the Internet Explorer Exploit createTextRange Code Execution
[ad] Internet Storm Center’s always informative Diary has some good information. At the urging of Handler Extraordinaire Kyle Haugsness, I tested the sploit on a box with software-based DEP and DropMyRights… here are the results: Software-based DEP protecting core Windows programs: sploit worked Software-based DEP protecting all programs: sploit worked DropMyRights, config’ed to allow IE […]
FrSIRT Starts Charging for OTHER Peoples Work (Exploits)
Is it ethical or even legal to charge for other peoples work? As far as I know France seems have some pretty strong (and weird) copyright laws. And yes, they are blaming French Laws prohibiting full disclosure. In conformity with applicable French laws prohibiting Full-disclosure, the FrSIRT will no longer distribute exploits and PoCs on […]